For most of the existing methods for checking and killing a malicious program, scanning is performed by a local engine according to a built-in scanning position, a feature such as MD5, etc. of an unknown program file which cannot be identified locally is sent to a cloud server, and the cloud server performs comparison according to the feature of the program file sent by the client and judges whether it is a malicious program, and if yes, the local engine of the client cleans up the malicious program according to a clear logic built in the client locally. However, in perfervid continued confrontation between malicious programs and security software, an author of a malicious program will always find out a new exploitable point of an operating system and a point ignored by security software, thereby bypassing the detection and checking and killing of the security software. At this point, after a security manufacturer gets a sample of a malicious program, it generally needs to modify the local engine so as to be able to check and kill a new malicious program, and during the period from getting a sample to manual analysis and then upgrading a new version of engine program file to all the clients, the malicious program has already spread over a large area.